Re: Howto authenticate smartPhone via Active Directory
On Tue, 5 Dec 2017 16:42:15 +0100 mj <lists@merit.unu.edu> wrote:
Hi,
Not much time to reply now.
On 12/05/2017 05:21 AM, Mark Foley wrote:
mj - thanks! That the first useful example I've received from any forum/list. I'm getting ready to try my config (have to do so after hours), but I have some probably simple-minded questions:
Well, that looks as if you are testing/trying out on your production machine. Why not setup a seperate (virtual?) test server to play with..? Use the same os version, with the same dovecot version. Or clone your production machine, so you can test as much as you like, without time pressure, at any given time.
I've been playing with this ldap authentication for a couple of years off and on. Time isn't a problem. The issue with setting up a test environment is that I really need the domain workstations and external smartphone attempting to connect when I make a change so I can follow what's going on in the Dovecot log and maillog. It's rather simple to test a change, then put things back. I'll likely not go the test platform route for now, but thanks for the input.
Your example is not the complete dovecot-ldap.conf.ext file, right? Have you just given me differences in your config from the "original"? You've kept the hosts, base, ldap_version, scope, deref, debug_level, and auth_bind_userdn settings in your config, right?
Not the complete file, no. I just provided the essentials.
[deleted]
Ok, here's what I've come up with for dovecot-ldap.conf.ext
hosts = mail.hprs.local base = dc=mail, dc=hprs, dc=local
ldap_version = 3 scope = subtree deref = never
debug_level = -1
auth_bind = yes auth_bind_userdn = %n@dom dn = cn=Administrator,cn=users,dc=hprs,dc=local dnpass = *******
user_filter = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514))) pass_filter = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))
I've enabled auth-ldap.conf.ext in 10-auth.conf. My doveconf is listed at bottom.
Unfortuntately, this doesn't work. My remote devices are not even showing as trying to connect. For internal domain LAN users I get:
Dec 06 01:08:10 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 30 secs): user=<>, rip=192.168.0.52, lip=192.168.0.2, session=<3/ZyxaVfE8PAqAA0>
I do see ldap listening on 389, imap[s] (Dovecot) listening on 143 and 993, these last two are opened externally through the firewall.
For the rest: my advise is that you *really* need to pay around with this much more. Get yourself a test environment, and play and test.
Plus: read some dovecot/ad howto's, and try things in your own environment.
Quick google returns: https://www.howtoforge.com/postfix-dovecot-authentication-against-active-dir...
I know my level of sophistication on this must sound like I've glibly posted a question hoping someone will do the work for me without my having to do any thinking myself, but believe me, I've been reading and experimenting with this for a very long time. I've got internal AD authentication working with GSSAPI and I've got a rather complex checkpassword program able to do authentication, so I don't think I'm a complete moron, although this project makes me feel that way. Now, I just want smartphones to authenticate with their owners' domain credentials and get them out of /etc/passwd.
I believe I've read all the Dovecot wikis on ldap plus things from many other sites. I've been to that howtoforge site before. It mostly deals with setting up Postfix, which I'm not using. The dovecot bits make more sense in light of your feedback. I've tried that ldapsearch example:
ldapsearch -x -h ad.example.com -D 'vmail' -W -b 'cn=users,dc=example,dc=com'
with the domain user I specified in my dovecot-ldap.conf.ext with my host and dc info and I get the error
ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required.
I've seen confusing postings on this error having to do with port 636 and LDAPS -- no idea what they're talking about. My user is the Samba/domain administrator and has a pretty complex password. None of the sites I've visited on this error indicate it has anything to do with the actual password's complexity.
Perhaps I'm just thick-skulled with all this.
If you or anyone can see something obviously wrong with my conf, or have any suggestion at all on a baby step I can take to incm me forward, please let me know.
Thanks, --Mark
doveconf -n: # 2.2.33.2 (d6601f4ec): /usr/local/etc/dovecot/dovecot.conf # OS: Linux 4.4.88 x86_64 Slackware 14.2 auth_debug = yes auth_debug_passwords = yes auth_gssapi_hostname = $ALL auth_krb5_keytab = /etc/dovecot/dovecot.keytab auth_mechanisms = plain login gssapi auth_use_winbind = yes auth_username_format = %n auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2016-08-10/54e789087d419b6e.crt ssl_key = # hidden, use -P to show it userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } userdb { driver = passwd } verbose_ssl = yes
Hi,
ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required.
If you are using recent (4.7) samba, your problem could be that it requires ssl ldap by default, unless you configure
ldap server require strong auth = no
in smb.conf.
MJ
participants (2)
-
lists
-
Mark Foley